Sage Advice - Cybersecurity Blog

What Makes a Strong Password?

Between personal accounts and work accounts, the sheer number of credentials and passwords that we have to manage can be overwhelming and inconvenient – especially if we forget them. While managing passwords may be a pain, it’s necessary if we want to protect our personal information. After all, cybersecurity is everyone’s responsibility.

With nearly everything going digital, including our personal and sensitive information (think credit cards, social security numbers, and confidential company information), now is the time to be diligent with managing our passwords, especially as credential theft remains a primary target for cybercriminals.

What do I mean by all of this? In short, even if it’s inconvenient, passwords must be strong with two-factor authentication enabled on all our accounts. Let’s explore what makes a password strong.

1. Use Complex Passwords, or...

One way we can make passwords more secure is by making them complex. For example, when we sign up for a new account, companies often require a password to be a certain length, and contain characters like uppercase and lowercase letters, numbers, and special characters. A complex password has multiple character types (such as Xyz23!) but having a complex password does not automatically make it strong.

To be considered strong, the password also needs to be sufficiently long. Password complexity requirements are often set by your company and usually require a certain length depending on the type of account you are trying to create. For example, your personal banking account password requirements will probably be stricter than your free Spotify account.

2. ...better yet, take it a step further by using passphrases

Passwords should always be complex, but don’t make them so complex that you will never remember them. When a user sets a difficult to remember password and doesn’t use a password manager, they tend to write it down on paper or store it in a document on their computer, therefore making that password less secure.

Another great option is to use a passphrase – a memorable string of words, including different characters and special characters – to increase the security of your complex passwords. According to the FBI, who recommends passphrases over password complexity, passphrases should combine multiple words into a long string of at least 15 characters. Passphrases are harder to crack even if they are simple words and don’t contain special characters, simply because the hacker requires more computational resources to crack it.

The XKCD graphic below illustrates the benefit of using a passphrase over a traditional password.

3. Don’t reuse passwords

To be extra cautious, if you have administrative access to a device or a network, even if it’s your home device, you should always use two separate login accounts. One that you use for your day-to-day activities that does not have administrative rights and another account that you use when you need to perform your administrative tasks.

Finally, it’s always wise to use a password manager. There are many to choose from. One great feature is that they can randomly generate your security question answers, passwords, and usernames. When using a password manager, don’t forget your master password, always do backups, and store critical passwords in a secure, air-gapped location.

How often should you change your password? Believe it or not, the FBI recommends that passwords should be changed only when you suspect your account has been compromised. The reason for this is because forcing users to frequently change passwords can lead to poor password hygiene. For example, changing Winter2020 to Spring2020. (Can you guess what the next password is going to be? So can the hacker!)

4. Always use two-factor authentication

Whether you choose to use a password or a passphrase, having two-factor authentication on your accounts adds a critical level of protection to your accounts. According to an article found in Tech Crunch, two factor authentication uses two factors of authentication and “combines something you know – your username and password, with something you have – such as a phone or physical security key, or even something you are – like your fingerprint or other biometric measures, as a way of confirming that a person is authorized to log in.”

Two-factor authentication adds another step to your log-in process. After submitting your username and password, you will be directed to enter things like a code sent in a text message, a PIN, answer to a security question, or a biometric measure such as your fingerprint.

One highly effective two-factor authentication method is a physical security key – a secure USB stick that you plug into your computer. When you log into your account, you will be triggered to enter the cryptographically unique key into your computer. Even if someone steals your password, they won’t be able to access your computer without the key. Two popular types are the Google Titan key and YubiKey, both of which are supported by most major websites where you may have accounts.

Implement these four helpful tips whenever possible

While using two-factor authentication (like something you know, something you have, or a security key) on your accounts whenever possible is preferable, not all websites or companies may support it.

First start by checking if your accounts support two-factor authentication. (Visit https://twofactorauth.org/ for a comprehensive list). If they do, enable it. If they don’t, make sure you are using complex passwords or passphrases. And if you buy a security key for use on major websites, start using it as soon as you get it.

The time that you take to ensure strong passwords today could stop an attacker in their tracks, so don’t wait on it!

Other Resources

The Federal Trade Commission provides a wealth of information on Online Security, including passwords. For more information, visit Online Security.

Request More Information

Subscribe to Email Updates

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.